|
Thanks for the help from Tom and Joseph,
I'm going the way of using source nat on the real servers, at this layer
I'm not looking to catch client IP from the application.
Some traffic may be sent directly between the real servers so
controlling what is nat'd should work well.
On Wed, 2006-09-27 at 18:48 -0700, Tom wrote:
> Rodney,
>
> I assume you are asking how to keep real servers from sending packets
> directly back to the client which happen to be on the same LAN. The problem
> being that the client (a real server in this case) is trying to connect to a
> VIP address but is getting response packets from another real server's IP
> address which of course won't work.
>
> >From a network perspective, you could solve this in a number of ways. The
> trick is to make the packets on the connections between the two groups of
> real servers always traverse your LVS director.
>
> One solution would be to NAT the source IP addresses of the real servers
> that will be connecting to the secondary VIP to something local to the
> director so that the real servers don't see the actual client IP. This is
> usually a bad solution as your application will not be able to record the IP
> address of the clients, but might work for you since you should be able to
> limit the source NAT'd addresses to your real servers. Interestingly, you
> will be literally NAT'ing both the source and destination addresses for
> different reasons with this solution.
>
> You could also force the two groups of real servers to always route packets
> through the director via static routes.
>
> Most easily, however, you could simply put the different real server groups
> on different subnets so that they always route via the director even though
> they are on the same LAN as each other.
>
> Tom
>
>
> On 9/27/06, Rodney Mckee <rodney.mckee@xxxxxxxxxxxxxx> wrote:
> >
> > Hi,
> >
> > I'm looking to have http traffic from 3 real servers from one site
> > access 2 real servers for another site using the same director.
> > We are looking to have the main site issue requests to a second
> > clustered layer and I was looking to setup a second VIP with associated
> > real servers and have the traffic load balanced using the existing LVS
> > router.
> >
> > The setup is using LVS-NAT.
> >
> > Chain PREROUTING (policy ACCEPT)
> > target prot opt source destination
> >
> > Chain POSTROUTING (policy ACCEPT)
> > target prot opt source destination
> > ACCEPT all -- 10.11.0.0/24 10.11.0.0/24
> > MASQUERADE all -- 10.11.0.0/24 anywhere
> >
> > Rgds
> > Rodney
> >
> >
> >
> > _______________________________________________
> > LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> > Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> > or go to http://www.in-addr.de/mailman/listinfo/lvs-users
> >
> >
> >
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
|
